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ABSTRACT 



The invention relates to a conditional access system making 
it possible for a service provider to supply his services solely 
to users having acquired entitlements to these services. 

The services supplied by a service provider consist of an 
item scrambled by control words. To keep these control 
words secret, they are supplied in messages (MEC) after 
having been encrypted with an encryption algorithm with 
key K. 

According to the invention, one and the same message 
(MEQ contains the same control word (Cwi) encrypted 
several times, each encryption (E(Cwi)Kj) of the control 
word depending on a different encryption key (Kj). 

The invention apphes to any type of conditional access 
system, be this system either of "off-line" or "on-line" type. 
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CONDITIONAL ACCESS SYSTEM USING tributed by the service provider, ihe message MD corre- 

MES SAGES WITH MULTIPLE ENCRYPTION spoading to the recognized address is analysed. The analysis 

KEYS of the message MD is performed with the aid of an analysis 

algorithm controlled by the encryption key of the control 

BACKGROUND OF THE INVENnON 5 vwrds. 

The present invention relates to a conditional access Conditional access systems are mainly of two types, 

system. A first system is commonly called an on-line system. In a 

A conditional access system aUows a service provider to conditional access system of the "on-line" type, the 

supply his services solely to users having acquired enUtle- scrainbled item IE (ECG) is an item consistmg of a signal 

mcnts to these services. Such is the case, for example, in pay distnbuted simultaneously to the various customers of the 

television systems service provider from a single source. This distribution can 

^ . , ' 1 11 J • .u . • be performed, for example, over the airways or else by 

As is known to a person skilled m the art, the service ui a • i * 1 -n j ■ »i. ^ • u 

J , -J • . f •» ui J cable. As is known to a person skilled in the art, in such a 

supphed by a service provider consists of an item scrambled , . .u i.Arr> 

t- * 1 J -ru ui J u J ui J conditional access system, the messages MEC are sent by 

by control words. The scrambled item can be descrambled, , . j -.u u ui j % rt- /cr^r^N 

. ^ J L 1 -.1. J * 15 the service provider with the scrambled item IE (ECG 1. 

and Ihercforc read by the user, only with regard to the ^ second conditional access system is commonly caUed 

entitlements allocated to this user. The scrambled item will ~ ,. . , j-.- 1 * r u <r 

. .t u J . J I. « ^ off-line system. In a conditional access system of ofif- 

subsequcntly be denoted IE(ECG), where ECG represents i- , ,C ui j ic /T^r-r^\ J .u 

the unscrambled item ^ ^ hne type, the scrambled item IE (ECG) and the messages 

MEC are contained on off-line information media such as, 

To descramble the item, the service provider supplies each ^ example, compact discs, digital video discs, or eUe 

user with the control words which served for scrambling the digital optical discs 

item. To keep the control words secret, they are supplied invention will be more particularly described in the 

after having been encrypted with an algorithm with key K. ^f off-line systems. However, as will emerge later, the 

The various encrypted control words are sent to the vanous invenUon relates to any type of access control system, be this 

users in messages which, for convenience, will be denoted ^ ^^^^^ ^^^^^ ^g^.j-^^ ^j^.j^^ ^^p^ 

MEC m the subsequent description. ^ mentioned previously, the key of the encryption algo- 

So as to accord access to its service solely to authorized nthm for the control words is contained in each user card. It 

users, the service provider supplies a smart card and a follows that the pirating of a single card may lead to the 

decoder to each of the users. knowledge of the key K. The service supplied by the 

The smart card makes it possible, on the one hand, to 30 provider is then no longer protected, 

validate and record the entitlements which the user has to the The service provider must then supply each user with a 

service delivered and, on the other hand, to decrypt the new card containing a new key K, Now, in the case of 

encrypted control words. For this purpose, the smart card off-line systems, the off-line information medium consti- 

contains the key K of the algorithm which allowed the tutcd by, for example, the compact disc, the digital video 

encryption of the control words. 35 disc or else the digital optical disc, has a fixed content which 

The decoder, for its part, makes it possible to descramble it is not possible to modify. To ensure the continuity of the 

the scrambled item on the basis of the item consisting of the service he has to supply, the service provider is then 

encrypted control words from the smart card. compelled, not only to market new off-line information 

Theentitiementsof each user are sent in messages which, media compatible with the new encryption key, but also 

for convenience, wiU be denoted MD in the subsequent ^0 completely to renew the existing pool of off-line information 

description. media which he distributed before the change of encryption 

According to the prior art, a message MD dedicated to a ^^tj^^ words^ 

♦ • • * ™ This represents a drawback, especially m terms of costs, 

user contains three mam items: . , ^ , ^ • / • 

^ . . . , t , /. . , . since the number of off-line information media may fre- 

a first Item givmg the address of the user s card. ^^^^^ ^^^^^ ^^^^^^ thousand, or even several 

a second item giving the description of the user's entitle- million 

m^^^i FIG. 1 represents a format of a message MEC according 

a third item making it possible to validate the message to the prior art. 

MD and verify that the user's entitlements contained in jhe message MEC consists of a body CI and a header 6, 

the message MD are indeed the entitlements reserved 50 the content (HI) of which gives, among other things, the 

for the user. type and size of the items contained in the body CI. 

As mentioned previously, the encrypted control words are The body CI comprises, among oUier things, a first item 

sent to the users by way of the messages MEC. 1^ the content (ID) of which makes it possible to identify the 

According to the prior art, a message MEC consists of a service provider, a second item 2 containing the set of access 

header and a body: ss conditions associated with the service supplied by the 

the header gives, among other things, the type and size of provider, a third item 3, the content (I(K)) of which gives the 

the items contained in the body of the message MEC; index of the key K of the encryption algorithm for the 

the body consists, among other things, of an item con- control words, a fourth item 4 containing a control word Cwi 

taining the set of conditions of access to the service encrypted with the algorithm with key K (E(Cwi)K) and a 

supplied by the provider, of an item containing a 60 fifth item 5 containing a datum HASHj^ maldng it possible 

control word encrypted with the algorithm with key K to vaUdate and verify the content of the message MEC and, 

and of an item containing a datum depending 00 the key more particularly, access conditions contained in the mcs- 

K and making it possible to validate and verify the sage MEC. The datum HASHj^ is controlled by the key K for 

content of the message MEC and, more particularly, encryption of the control words. 

access conditions contained in the message MEC. 65 In FIG. 1, the control word Cwi represents the current 

When the decoder of a user recognizes the address of the control word, that is to say that making it possible to 

card associated therewith among the various addresses dis- descramble the part of the program being read As is known 
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to a person skilled in the art, the message MEC which containing the said control word encrypted by an encryption 

contains Cwi generally also contains a second control word, algorithm with respective keys K2, K3, . . . , Kg, . . . , Kn. 

This second control word is the control word for the next The keys Kl, K2, K3, . . . , Kn are different from one 

dcscrambling period, that is to say the current control word another, 

of the message MEC which is to follow the message MEC 5 -phe invention also relates to a process making it possible 

which contains Cwi as current control word. It is so as not to descramble a scrambled service (lE(ECG)) suppUed to at 

to needlessly encumber the drawing that this second control ^^^^ ^^e user, the service being scrambled with the aid of 

word has not been represented in FIG. 1. control words, the process comprising at least one step 

As is known to a person skilled in the art, the format of making it possible to supply the user with a message (MEC) 

the message MEC described in FIG. 1 is merely an MEC lo containing a first item consisting of a control word encrypted 

message format example. In particular, the order defining the ^ algorithm with key Kl. The step makes it possible 

succession of the various blocks 1, 2, 3, 4, 5 making up the ^ distribute in the message n-1 additional items each 

message MEC can be modified. containing the control word encrypted by an algorithm with 

FIG. 2 represents the schematic of a user card according respective keys K2, K3, . . . , Kn. 

to the prior art ..... The keys Kl, K2, Kn are different from one another. 

The user card 7 contams five mam circuits: on. - i i . * ^ j i - 

. „^ . . . .. Tne invention also relates to a smart card making it 

a arcmt 8 for vahdatmg the user s entiUements; p^^^^le to decrypt the encrypted control words which it 

a circuit 9 for stormg the validated entitlements of the receives, the encrypted control words being sent to the smart 

card via a message such as that mentioned above according 

a circuit 10 for access control; to the invention. 

a circuit 11 for validating the messages MEC; The invention also relates to a conditional access system 
a circuit 12 for decrypting the encrypted control words. making it possible for a service provider to supply his 
The validation circuit 8 makes it possible to perform on services only to users having acquired entiOements to these 
the messages MD the operations of user address recognition 25 services, the said services consisting of an item scrambled 
and user entitlements analysis. For this purpose, the valida- by control words, the said system comprising, for each user, 
tion circuit 8 contains the key K of the encryption algorithm. at least one decoder and at least one user card, the said card 
If the message MD is validated, the user's entitlements containing, on the one hand, circuits making it possible to 
contained in the message MD are stored in the validated validate and record the user entitlements to the service 
entitlements storage circuit 9. 3Q delivered by the provider, the said entitlements being con- 
The circuit 11 for validating the messages MEC makes it veyed to the user card by a first message (MD) and, on the 
possible to perform on the access conditions 2 contained in other hand, circuits making it possible to retrieve the control 
the messages MEC operations identical to those performed words from the control words encrypted by an algorithm 
by the validation circuit 8 on the user's entitlements con- with key K, the said encrypted control words being con- 
tained in the messages MD. The validation circuit 11 con- 35 veyed to the user card by a second message (MEC). The user 
tains the key K. card is a card such as that mentioned above according to the 
The decryption circuit 12 makes it possible to decrypt the invention and the second message (MEC) is a message such 
control words. For this purpose, the decryption circuit 12 as that mentioned above according to the invention, 
also contains the key K of the encryption algorithm for the The invention further relates to an off-line information 
control words. 4q medium containing an item scrambled by a string of N 
The access control circuit 10 compares the validated control words. The off-line information medium comprises 
access conditions with the validated entitlements of the user, p item strings consisting of N encrypted control words, each 
If the validated access conditions correspond to the validated item string making it possible to descramble a scrambled 
entitlements of the user, a signal S, emanating from the item, p being an integer greater than or equal to 1. 
access control circuit 10 and applied to the decryption circuit 45 The key of the encryption algorithm for the control words 
12, authorizes decryption of the control words. In the is contained in each user card. 

contrary case, the signal S does not authorize decryption. According to the invention, when the pirating of the user 

At the completion of the various steps of the decryption cards leads to the knowledge of the key of the encryption 

procedure, the decrypted control words Cwi are generated algorithm for the control words, the service provider 

by the decryption circuit 12 so as to allow the descrambling 5Q changes the key as well as the key index which are contained 

of the scrambled item IE (ECG). in the user cards by choosing a new encryption algorithm 

SUMMARY OF THE IInTVENTION as well as a new key index from among the keys and the 

key indices already contained in the messages MEC. 

In general, the present invention relates to a novel oon- th^ case of off-line systems, for example, an advantage 

ditional access system. 55 invention is to prevent the change of encryption 

More particularly, the invention also relates to a novel algorithm key for the control words from entailing the 

definition of the messages MEC, a novel user card, as well renewal of the entire pool of off-line information media 

as a novel off-line information medium in the case of off-line distributed before the change of key. 

systems. BRIEF DESCRIPTION OF THE DRAWINGS 

Thus, the invention relates to a message (MEC) making it 60 

possible to deliver conditions of access to a scrambled Other characteristics and advantages of the invention will 

service intended for at least one user, the said message emerge on reading a preferred embodiment given with 

containing a first item consisting of a control word encrypted reference to the appended figures in which: 

by an algorithm with key Kl, a second item, the content of FIGS. 3a and 3b represent two formats of a message MEC 

which makes it possible to vahdate and verify the content of 65 according to the invention; 

the message, the content of the second item being controlled FIG. 4 represents the schematic of a user card operating 

by a key Q. The message contains n-1 additional items each with a message MEC according to FIG. 3a; 
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FIG. 5 represents the schematic of a user card operating 

with a message MEC according to FIG. 3b. 
In all the figures, the same labels designate the same 
elements. 

S 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

FIG. 3a represents a first MEC message format according 
to the invention. 

10 

The message MEC consists of a body C2a and a header 
13, the content (H2) of which gives, among other things, the 
type and size of the items contained in the body C2a. 

The body C2a comprises, among other things, an item 14, 
the content (ID) of which makes it possible to identify the is 
service provider, n items Al, . . . , Aj, . . , , An respectively 
containing the same control word Cwi enciphered with 
algorithms with respective keys Kl,...,Kj,...,Kn,n items 
DXl, . . . , Dxj, . . . , DXn containing the indices I(K1), . . . , 
I(Kj), . . . , I(Kji) making it possible to recognize the 20 
respective keys Kl, . . . , Kj, . . . , Kn, an item 15 containing 
the set of access conditions associated with the service 
supplied by the service provider, and an item 16 containing 
a datum HASH^ making it possible to validate and verify 
the content of the message MEC and, more particularly, 25 
access conditions contained in the message MEC. The 
datum HASHg is controlled by a key Q preferably different 
from any one of the encryption keys Kl, . . . , Kj, . , . , Kn, 

According to a first embodiment of the invention, the 
algorithm with key Kj is the same irrespective of the rank j 30 
(j=l, 2, . . . , n) of the key Kj. This may, for example, be the 
algorithm known by the abbreviation RSA ("RIVEST 
SHAMIR ADLEMAN"), the algorithm known by the abbre- 
viation SDE ("Syndrome Decoding Engine"), or again the 
algorithm known by the abbreviation DES ("Data Encryp- 35 
tion Standard*'). 

According to the invention, the algorithm with key Kj can 
be identical or different for all or some of the keys Kj (j=l, 
2, , . . , n). 

40 

Advantageously, according to a particular embodiment of 
the invention, the various keys Kj which are used succes- 
sively may be chosen with size increasing with the rank j of 
the key Kj. Any pirates are then placed in a situation in 
which the pirating of the various keys is made increasingly 
difficult. 

According to FIG. 3a, the various items constituting the 
body of the message MEC according to the first format of 
the invention follow one another in a certain order The 
invention relates, however, to the formats of messages MEC 
for which the order of the items is different from that 
represented in FIG, 3a. 

FIG. 3b represents a second MEC message format accord- 
ing to the invention. 

The message MEC consists of a body C2b and a header 55 
17, the content (H3) of which gives, among other things, the 
type and size of the items contained in the body C2b, 

The body C2b comprises, among other things: 

p items IDl, ID2, IDK, . . . IDp allowing each to identify 
one of the p service providers, p being an integer, 

n items All, . . . , Alj, . . . , Aln, for the provider of rank 

1, n being an integer, 

m items A21, . . . ,A2j, . . . , A2m, for the provider of rank 

2, m being an integer, ^5 
v items Akl, . . . , Akj, . . . , Akv, for the provider of rank 

k, V being an integer, 



45 



w items Apl, . . . , Ap}, . . . , y^w, for the provider of rank 
p, w being an integer, 

each of the n+m+ . . . +v+ . . . +w items All, , . . , Akj, . . . , 
Apw containing, according to the preferred embodi- 
ment of the invention, the same control word Cwi 
encrypted with an algorithm with respective keys 
Kll, . . . , Kkj, . . . , Kpw, 

n items DXll, . . . , DXlj, . . . , DXln for the provider of 
rank 1, 

m items DX21, .... DX2j, . . . , DX2n for the provider 
of rank 2, 

V items DXkl, . . . , DXkj, . . . , DXkv for the provider 
of rank k, 

w items DXpl, . . . , DXpj, . . . , DXpw, for the provider 
of rank p, 

each of the n+m+ . . . +v+ . . . +w items DXll, . . . , 
DXkj, . . . , DXpw containing the indices I(Kll), . . . , 
I(Kkj), .... I(Kpw) making it possible to recognize, as 
will be specified later, the respective keys Kll, . . . , 
Kkj, . . . , Kpw, the indices with keys I (Kkl), . . . 
I(Kkj), . . . , l(Kkp) of the service provider of rank k 
(k=l, 2, . . . , p) defining an order k encryption keys 
index field, 

an item 18 containing the set of access conditions asso- 
ciated with the service supplied by the p service 
providers, the said access conditions being common to 
the p service providers according to the preferred 
embodiment of the invention, 

a set of p data HASH^^, . . . , HASHq^ . . . , HASH^p, 
the datum HASHg* making it possible to validate and 
verify the content of the access conditions contained in 
the message MEC as well as that part of the message 
MEC associated with the service provider of rank k. 
The datum HASH^j^. is controlled by a key Qk. The 
keys Ql, . . . , Qj, . . . , Qp being preferably different 
from one another and different firom the encryption 
keys Kkj, 

a set of p data I(Q1), . . . , I(Qk), . . . , I(Qp) constituting 
a control keys index field, the key index I(Qk) making 
it possible, as will be specified later, to recognize datum 



HASH, 



According to the above -described preferred embodiment 
of the invention, each of the n+m+ . . . +v+ . . . +w items 
All, . . . , Akj, . . . , Apw contain the same control word Cwi 
encrypted with an algorithm with respective keys Kll, . . . , 
Kkj, . . . , Kpw. 

According to that embodiment of the invention described 
in FIG. 3b, the access conditions 18 arc common to the p 
service providers. According to other embodiments of the 
invention, the access conditions are different from one 
service provider to another or from one group of service 
providers to another. 

As mentioned previously, the order in which the various 
items constituting the body of the message MEC follow one 
another may be different from that represented in FIG. 3b. 

According to a particular embodiment of the invention, 
the encryption algorithm with key Kkj of the service pro- 
vider of rank k (k=l, 2, . . . , p) is the same irrespective of 
the rank j of the key lOcj. 

According to embodiments different from the particular 
embodiment mentioned above, the encryption algorithm 
with key Kkj can be different according to the rank k of the 
key Kkj. 

As in the case of the message MEC described in FIG. 3a, 
the various keys Kkj which are successively used by the 
same service provider may advantageously be of a size 
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increasing with the rank j of the key Kkj so as to make key, or with an old card not containing the new encryption 

pirating increasingly difficult key. Likewise, and in reciprocal manner, the off-line infor- 

FIG. 4 represents a user card operating with a message maiion media distributed after the change of encryption key 

MEC according to FIG. 3a. can advantageously no longer be read with the user cards 

The user card contains five main circuits: 5 containing the old encryption key as is the case, particularly, 

a circuit 20 for vah dating the user's entitlements; ^ pirated cards. 

a circuit 21 for storing the validated enatlements of the f'^ °^ ^y^'^"^- ^."^'"^^ f™^*''^; 

recovers the user cards conlaimng the puatcd key and 

\ ^ , replaces them with new cards containing a new encryption 

a circuit 22 for access control; ^ mentioned above. 

a circuit 23 for validating the messages MEC; Advantageously, a transient period in respect of the dis- 

a circuit 24 for decrypting the encrypted control words. tribution of new user cards may then be established. 

The validation circuit 20 makes it possible to perform on Throughout the transient period, the messages MEC dis- 

the messages MD the operations of user address recognition seminated by the service provider contain control words 

and user entitlements analysis. 15 encrypted with the key being pirated and the control words 

The analysis of the message MD is perfoncned with the aid encrypted with the new encryption key. When all the user 

of an analysis algorithm depending on a key KC contained cards have been renewed, the service provider now issues 

in the validation circuit 20. The key KC is preferably a only messages MEC containing the new encryption key. 

different key from any one of the encryption keys Kj By way of non-limiting example, the number of versions 

2, . . . , n). If the message MD is validated, the user's 20 of encryption of control words, that is to say the number of 

entitlements contained in the message MD are stored in the encryption algorithm keys for the control words, may be 

validated entitlements storage circuit 21. between 5 and 10. 

The validation circuit 23 makes it possible to perform on FIG. 5 represents the schematic of a user card operating 

the access conditions contained in the messages MEC vah- with a message MEC according to FIG. 36. 

dation operations identical to those performed on the user's is The user card 25 of FIG. 5 is the card associated with the 

entitlements contained in the messages MD. The validation service provider of rank k. 

of the messages MEC is performed with the aid of a The user card 25 contains five main circuits: 

validation algorithm controlled by the key Q. The key Q is a circuit 26 for validating the user's entitlements; 

contained in the circuit 23. ^ ^^^-^ 27 for storing the validated entidements of the 

The decryption of the encrypted control word E(Cwi)Kj is 30 

performed with the aid of the key Kj of the encryption • c ^ 

algorithm when the key Kj is the key contained in the ^ ^^^^ ^8 for access control; 

deciphering circuit 24. a circuit 29 for validating the messages MEC; 

When the key Kj is contained in the decryption circuit 24, a circuit 30 for decrypting the encrypted control words, 

the latter also contains the index I(Kj) which makes it 35 The circuits 26, 27 and 28 have ftmctions identical to 

possible to recognize the encrypted control word E{Cwi)Kj those of the respective circuits 20, 21 and 22 described 

from among the set of encrypted control words contained in previously. 

the message MEC. When the control word E(Cwi)Kj has The analysis of the messages MD is performed with the 
been recognized, the latter is transferred from the vahdatioo aid of an analysis algorithm depending on a key KC con- 
circuit 23 to the decryption circuit 24. Decryption then takes 4o tained in the validation circuit 26. The key KC is preferably 
place. a different key from the encryption key contained in the 

The access control circuit 22 compares the vaUdated decryption circuit 30. 

access conditions with the validated entitlements of the user. The circuit 29 makes it possible to perform the validation 

If the validated access conditions correspond to the validated of the access conditions as well as that part of the message 

entitlements of the user, a signal S, emanating from the 45 MEC associated with the service provider of rank k. For this 

access control circuit 22, authorizes decryption of the con- purpose the circuit 29 contains the control key index I(Qk) 

trol word. In the contrary case, the signal S docs not making it possible to recognize the datum HASH^^, within 

authorize decryption. the message MEC as well as the key Qk making it possible 

As mentioned previously, the pirating of a user card may to control the datum HASH^j^. 

lead to the knowledge of the control words encryption key 50 The control words decryption circuit 30 contains the 

contained in the user card. When pirating becomes encryption key Kkj and the encryption key index I(Kkj). 

excessive, the service provider distributes new user cards. Validation of the access conditions contained in the mes- 

The decryption circuit for the control words of the new user sages MEC is performed with the aid of a vahdation 

cards then contains a new encryption key as well as a new algorithm conU^olIed by the key Qk when the control words 

encryption key index. ss decryption circuit 30 contains the key Kkj and the index 

The new encryption key as well as the new key index are I(Kkj). 

contained in the messages MEC according to the invention. The key index I(Kkj) makes it possible to recognize the 

In the case of off-line systems, to ensure the permanence encrypted control word E(Cwi)Kkj from among the set of 

of his service, the service provider supplies his new cus- encrypted control words. When the control word E(Cwi)Kkj 

tomcrs with new off-line information media in which the 60 has been recognized, the latter is transferred from the 

control words encrypted with the key being pirated are validation circuit 29 to the decryption circuit 30. The 

deleted. decryption of the encrypted control word E(Cwi)Kkj is then 

As mentioned previously, advantageously, according to performed with the aid of the key Kkj of the encryption 

the invention, the off-line information media distributed algorithm. 

before the change of encryption key are still usable after this 65 According to the preferred embodiment of the invention, 

change. Thus, the use of these information media can be the message MEC described in FIG. 3a comprises an 

performed either with a card containing the new encryption encryption keys index field and the message MEC described 
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in FIG. 36 comprises p encryption keys index fields and one The inveation also has another advantage in the context of 

control keys index field. As mentioned previously, these on-line systems. 

keys indices allow recognition by the user card of the data Thus, in the context of on-line systems prohibiting any 
associated with them. copying in clear of the scrambled programs disseminated, 
According to other embodiments of the invention, the 5 Ihc invention allows the various service providers to control 
messages MEC contain no encryption keys indices and/or the use of copies and/or recordings of the scrambled pro- 
control keys indices. The control words to be decrypted and grams. Thus, to see the copies and/or the recordings of the 
the data making it possible to validate the messages MEC scrambled programs in clear, tbe users are then compelled to 
are recognized by the user card by virtue of their ordering request entitlements from the service provider. The reading 
and their size. In a manner known per se, the circuits 24 and of the copies and/or the recordings is then conditioned by the 
30 then contain items necessary for recognizing the ordering presence or otherwise of the corresponding entitlements in 
and size of the control words to be decrypted and the circuit the user's card, 

29 contains items necessary for recognizing the ordering and All the advantages mentioned previously in respect of the 

size of the data making it possible to validate and verify the oflF-line information media used in the context of the inven- 

mcssages MEC. jlon therefore also appertain in respect of the copies and/or 

Irrespective of the type of message MEC of the mvenuon, 15 recordings of scrambled programs, 

the invention relates, in the case of off-hne systems, to an ^Ve claim* 

off-line information medium containing an item scrambled ^ . «^„^;.;^„o « 

- ^, , J i_ . • J • . 1. A message tor delivenng access conoilions to a service 

by a stnng of N control words, characterized m that it li j • * 1 _j . • • 

. ^ . e ; •4- f KT J scrambled using a control word, said message contaming: 

comprises p strmgs or items consisting 01 N encrypted 7 . . * , , ^ ^ 

control words, each string of items making it possible to 20 " ^^""^ comprismg said control word encrypted 

descrarablc the scrambled item, p being an integer greater ^"^8 ° different encryption keys Kl, K2, . . . , Kj, . . . . 
than or equal to 1. 

The string of items consisting of the N encrypted control wherein nis an integer greater than 1. 

words consists of a string of identical encrypted control 2. The message according to claim 1, further compnsing 

words, each control word being encrypted with an algorithm 25 " additional items, each comprising a key index associated 

with different key ^^^^ ^ encrypUon keys. 

Thus, the off-line information media according to the 3. The message according to claim 1, further comprising 

invention contain messages MEC such as those described in * second item for vaHdaUng and verifying the content of said 

FIG. 3a or FIG. 3fe. According to the invention, the messages message, the content of said second item being controUed by 

MEC contained on the off-line information media then 30 avalidaUonkeyQ, wherem said validaUon key Q is different 

contain all the items necessary for descrambling the entire ^^m all said encryption keys Kl, K2, , . . , Kj, . . . , Kn. 

scrambled item. ^- message according to claim 1, wherein said 

FIGS. 3a and 3b therefore also constitute a symboHc encryption keys Kj Q-1, 2, . . . , n) have a size increasing 

representation of two MEC message formal examples con- J °f ^i- 

tained on the off-line information media according to the 35 5. A message for delivermg access conditions to services 

invention delivered by p different service providers scrambled using a 

In the case in which the information medium contains ^o"^^®! ^o^^*' said message containing: 

several strings of items making it possible to descramble the P first items, each for identifying one of said p service 

scrambled item, each string of items is preferably associated providers; and, for each of said p service providers of 

with a different service provider. 40 rank k (k-1, 2, , . . , p): 

The insertion of the messages MEC within the item v^^. (v^=n, m, v, w) second items, each comprising 

contained on the off-line medium may be performed, by way said control word encrypted using different encryption 

of example, with the aid of the standard known to a person keys Kkl, Kk2, . . . , Kkj, . . . , Kkv^^; 

skilled in the art by the name "MPEG — 2 System**. In the wherein p and v,, are integers greater than 1. 

case in which storage of the item on the off-line medium is 45 6. The message according to claim 5, further comprising, 

not compatible with the "MPEG — 2 System" standard, for each of said p service providers of rank k (k=l, 2, . . . , 

another mode of insertion of the messages MEC consists, for p): 

example, in retaining only one or a few messages MEC, for V;^ (vjt«Q> m, . . . , v, . . . , w) key index fields I(Kkl), 

example 2 or 3 messages MEC, with the entirety of the I(Kk2), . . . , I(Kkj), . . . , I(Kkv), wherein each key 

programs contained on the medium and in placing these 50 index is associated with one of said encryption keys, 

messages MEC in the header of each of the programs or of 7. The message according to claim 5, wherein said integer 

any other structure having a magnitude sufficient to store Vj^ is different from one service provider to another or from 

these few messages MEC. one group of service providers to another. 

According to a particular embodiment of the system 8, The message according to claim 5, further comprising 
described in FIG. 5, several different service suppliers can 55 p additional items, each being associated with one of said 
distribute identical programs on the same off-Une informa- service providers for validating and verifying access condi- 
tion medium such as, for example, a digital video disc. tions to the service as well as the content of the message 

Advantageously, each service provider is then not com- relating to the service provider with which each said p 

pelled to press his own digital video discs. Various service additional item is associated, the content of each of said p 

providers can thus offer, on the same medium, all or some of 60 additional items being controlled by a validation key Ql, 

their services at lesser cost without mutually disclosing their Q2, Qp which is individual thereto, 

respective keys of the control words encryption algorithm. 9. The message according to claim 8, wherein said vali- 

The advantage described above in the context of an dation keys Ql, Q2, . . . , Qp are different from aU said 

off-line system applies also in the context of an on-line encryption keys. 

system. Several disseminators of programs can then offer 65 10. The message according to claim 5, wherein successive 

access to the same program using messages MEC such as encryption keys of at least one service provider have a size 

those described in FIG. 36. increasing with the rank of the key. 
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U. A method for descrambling a service scrambled using wherein said control key KC is diflfereni from said vali- 

a control word, said method comprising the step of: dation key Q for validating said first message, 

supplying a message containing access conditions asso- 1**- smart card according to claim 18, wherein said 
ciaied with a user and n-items, each comprising said control key is dififcrcnt from ail said encryption keys, 
control word encrypted using n different encryption s 20. The smart card according to claim 17, further corn- 
keys Kl, K2, . . . , Kj, . . . , Kn, prising: 

wherein n is an integer greater than 1. deciphering means for decrypting said encrypted control 

12. The method according to claim 11. wherein the step of ^o"*- wherein said deciphering means includes at least 
supplying said message is performed with the aid of a ^f said encryption keys. 

second item for validating and verifying the content of said 21. The smart card according to claim 20, wherein said 

message, the content of said second item being controUed by deciphcrmg means further mchides: 

a validation key Q, said validation key Q being different °ieans for recognizing in said first message an item 

from all said encryption keys Kl, K2, . . , , Kj, . . . , Kn. containing said control word encrypted using an 

13. A method for descrambling services, delivered by p encryption key contained in said deciphering means, 
different service providers, scrambled using a control word, 22. The smart card according to claim 17, wherein said 
said method comprising the step of: validation means comprises means for recognizing in said 

supplying a message containing access conditions asso- "^^^^6^ «^ '^"^^ Bssoci.u^d with said service provider 

ciated with a user together with p first items, each for f ^f.^'^^^f^ service, for vahdaUng and ven- 

. . „ ^^„ri^f „M««,. ™« fying access conditions to said service as well as the content 

identifying one of said p service providers said mes- „n r -t . „ 

, f«r «r,,;^* r.f ^ Said message, the content of said item being controlled by 

sage further comprising, for each service provider ol , ^, 

rankk(k=l 2 . . p): said vahdation key Qk. 

( ^ . , 23. The smart card according to claim 22, wherein said 

V, (v,=n, m, . . . , v, w) second iterns each compnsmg ^^^^^ comprises a validation key index I(Qk). 

said con^ol word encrypted usmg different encryption 24. A conditional access system for selectively supplying 



keys Kkl, Kk2, . , . , Kkj, . . . , Kkv; 25 



services to a user comprising: 



wherem p and v^^ are integers greater than 1. providing a service scrambled using a control 

14. The method aocordmg to clami 13, wherein the step ^^^d, entitlement data associated with said user's 
of supplying said message further comprises, for each of entidements and access conditions data associated with 
said p service providers of rank k (k=l, 2, , . . , p): access conditions, said access conditions data contain- 

distributing v^ (v^on, m, . . . , v, . . . , w) key index fields 30 ^ ^^^^^ e^ch comprising said control word 

l(Kkl),I(Kk2), ,..,l(Kkv)(k=l,2,...,p),eachkey encrypted using n different encryption keys Kl, 

index being associated with one of said encryption K2, . . . , Kj, . . . , Kn, wherein n is an integer greater 

Iteys. than 1; 

15. The method according to claim 14, wherein the step ^ decoder for descrambling said scrambled service; 

of supplying said message further comprises: 35 ^ ^^^^ ^^^^ receiving said entitlement data and said 

distributing p additional items HASH^^, - . . , access condition data and for providing said control 

HASHgjt, . . . , HASHgp, each of said additional items vvord to said decoder, wherein said smart card com- 

being associated with one of said service providers for ^^^^ deciphering means for decrypting said encrypted 

validating and verifying access conditions to the ser- control word, said deciphering means containing at 

vice as well as the content of the message relating to the jgast one of said encryption keys, 

service provider with which said item is associated, the 25. The conditional access system according to claim 24, 

content of each of said p additional items being con- wherein said system is an "on-line" type, 
trolled by a vahdation key Ql, Q2, . . . , Qp which is 26. Hie conditional access system according to claim 24, 

individual thereto. wherein said system is an "off-line" type. 

16. The method according to claim 15, wherein said 27. A conditional access system for selectively supplying 
validation keys Ql, Q2, . . . , Qp arc different from all said services delivered by p different service providers to a user 
encryption keys. comprising: 

17. A smart card for providing a control word for ^r providing a service scrambled using a control 
descramblmg a received scrambled service comprismg: ^^^d, entitlement data associated with said user's 

means for receiving a first message, said first message entitlements and access condition data associated with 

containing data corresponding to access conditions access conditions; 

associated with a user and n items each comprising said ^ decoder for descrambling said scrambled service; 

control word encrypted usmg n different encryption ^ ^^^^ ^^^^^^^^ enUtlement data and said 

keys Kl K2, . . . , Kj, . . . , Kn, wherem n is an integer ^^^^^ condition data and for providing said control 

greater than 1; and ^^^^ ^^^^^^^ 

means for vahdating said first message usmg a validation wherein said access conditions data are conveyed to said 

key Q; smart card in a message containing p first items, each for 

wherein said validation key Q is different from all said identifying one of said p service providers; and, for each of 

encryption keys. said p service providers of rank k (kol, 2, . . . , p): 

18. The smart card according to claim 17, further com- (Vjt=n, m, . . . , v, . . . , w) second items, each comprising 
prising: said control word encrypted using different encryption 

means for receiving a second message, said second mes- keys Kkl, Kk2, . . . , Kkj, . . . , Kkvj^ 

sage containing data corresponding to entitlements wherein p and Vji. are integers greater than 1; and 
associated with said user, ss wherein said smart card includes: 

means for validating said second message using a control means for receiving a first message, said first message 
key KC; containing data corresponding to access conditions 
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associated with a user and a items each comprising said 
control word encrypted using n different encryption 
keys Kl, K2, . . . , Kj, . . . , Kn, >^erein n is an integer 
greater than 1; and 
means for validating said first message using a validation 
key Q; 

wherein said validation key Q is different £rom all said 
encryption keys. 

28. The conditional access system according to claim 27, 
wherein said system is an "on-line" type. 

29. The conditional access system according to claim 27, 
wherein said system is an "off-line" type. 

30. An off-line information medium containing: 
data scrambled using a string of N control words 

Cwl, . . . , Cwi, . . . CwN, N being an integer greater 

than 1; and 
for each of said N control words Cwi: 

a siring of additional data comprising said control word 
encrypted using different encryption keys Kll, , . . , 
Kin, K21, . . . , K2m, Kkl, . . . , Kkv, Kpl, . . . Kpw. 

31. The off-line information medium according to claim 
30, further comprising: 

access conditions to said scrambled data; 
a second item for validating and verifying said access ^ 
conditions; 

wherein said second item is controlled by a validation key 
different from all said encryption keys. 

32. The off-line information medium according to claim 
30, further comprising: 

access conditions to said scrambled data; 
p first additional items, each for identifying one among p 

service providers; 
p second additional items, each being associated with one 

of said service providers for validating and verifying 
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said access conditions as well as information specific to 
said service provider corresponding to it; 
wherein the string of additional items comprising said 
control word encrypted using different encryption keys 
is broken down into p data sub-sets, each of said p data 
sub-sets being associated with a different service pro- 
vider 

33. The off-line information medium according to claim 
32, wherein said second additional items are controlled by 
validation keys whidi are different from all said encryption 
keys. 

34. The off-line information medium according to claim 
32, further comprising, for each item of said siring of 
additional items comprising said control word encrypted 
using different encryption keys, an encryption index for 
recognizing the encrypted control word. 

35. A smart card for providing a control word for 
descr ambling a received scrambled service delivered by one 
among p different service providers comprising: 

means for receiving a message, said message containing 
data corrc^onding to access conditions associated with 
a user and containing: 

p first items, each for identifying one of said p service 
providers; and, for each of said p service providers of 
rank k (k=l, 2, . . . , p): 
Vjt (vj^-n, m, . . . , V, . . . , w) second items, each 
comprising said control word encrypted using dif- 
ferent encryption keys Kkl, Kk2, , . , , Kkj, . . . , Kkv^j. 
wherein p and Vjj. are integers greater than 1; 
means for validating said message using a validation key 
Qk which is associated with said service provider 
delivering the scrambled service, wherein said vaUda- 
tion key Qk is different from all said encryption keys. 
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